Privacystatement Coronavirus testing

Coronavirus testing and communication of results

It is important to GGD GHOR Nederland and your Municipal Health Service (GGD) that your privacy is protected. We therefore handle your personal data with due care and take responsibility under the law, such as the General Data Protection Regulation (GDPR).

Who collects and uses my personal data?

Your personal data is collected by GGD GHOR Nederland, the branch organisation of the Municipal Health Services (GGD) and Medical Assistance Organisations in the Region (GHOR). We are the controllers. This means that we are responsible for your personal data being collected, used and stored appropriately and transparently. We ensure that we are complying with the law.

This means that we will handle your data properly and securely.

Your personal data will be shared with:

• Local medical and health service departments, including Municipal Health Service doctors (hereinafter: GGD)
• GGD GHOR Nederland
• Laboratories
• The IT provider of the CoronIT (Topicus) application and the subprocessors
• Teleperformance, the call centre company involved

Laboratories that do not routinely receive samples from the GGD receive a sample with a unique number that they cannot trace back to individuals. This includes laboratories such as Sanquin, HLV and GD. This means that when they carry out the test for COVID-19, they do not know whose test it is. Your personal data will, however, be shared with laboratories that receive samples from the GGD on a routine basis.

Your personal data will be recorded by the call centre employee, a doctor or via the coronatest website in CoronIT. CoronIT is a web application.

CoronIT ensures that the coronavirus testing process and the associated communication are carried out in an orderly manner. The GGD can link the test results to individuals. GGD GHOR Nederland supports the GGDs as a service desk. This means that GGD GHOR Nederland will only be able to view your personal data if that is necessary for solving a problem.

What is my personal data used for?

Your personal data is used for the purpose of testing for the coronavirus and communicating the test results to the GGD and to you. To find out which personal data we request and what else we use it for, read below the chapters on personal data.

Put very simply, the following will happen:

You develop symptoms (such as a cough, fever, shortness of breath, a sore throat, loss of sense of taste and smell) and decide you want to get tested.
You register to get tested via the coronatest website, where you can choose from three available options. You can also phone the call centre to schedule an appointment. In some cases, the call centre will put you through to the GGD. The doctor may give you a referral for an appointment, in which case you do not need to phone the call centre yourself.
The coronavirus test is carried out and the sample is examined in a laboratory.
The results can be checked on the coronatest website or will be communicated to you personally. If the test comes back positive, you will be contacted by the GGD.
If you test positive, you will be contacted to discuss the subsequent steps. This can include going into isolation and take part in contact tracing.

The process is described in detail below.

The entire testing process consists of the following steps:
invitation/registration, sample collection, transport, analysis and provision of results. Each step is explained below.

STEP 1: INVITATION/REGISTRATION

There are various ways to make an appointment:

Via the coronatest website
Via the call centre
Via a company doctor

1. Registering via the coronatest website

You go to the coronatest website, where you will indicate which symptoms you have. If your symptoms are consistent with coronavirus, you will be asked several questions. For example, whether you have been in direct contact with people who were infected with the coronavirus, and whether you have worked or interacted with others.

Then, you can log on using your DigiD and choose a date, time and test location. We also ask you for your telephone number and email address, so that we can send you confirmation and can contact you if need be. You will receive a confirmation of your testing appointment by email and text message.

Registering via the call centre

You phone the call centre to make an appointment. The trained call centre employee enters your personal data in CoronIT. An appointment is made for the coronavirus test. You will receive a confirmation of your testing appointment by email and text message.

Registering via a company doctor

A doctor assesses whether you are eligible for testing. If so, the doctor will register your data in CoronIT. The doctor schedules a date and location for the coronavirus test. You will receive a confirmation of your testing appointment by email and text message.

STEP 2: COLLECTION

The GGD administers the coronavirus test at a test location. They retrieve your personal data in CoronIT. The GGD employee assigns a unique barcode from a test tube to your personal data.

The coronavirus test is administered using a swab, with which cells are collected from the nasal cavity and throat.

STEP 3: TRANSPORT OF THE SAMPLE

Following collection, the test tube is securely packed. The test tube with the unique bar code is transported directly from the test location to the test laboratory by a courier.

The test laboratory receives the samples and proceeds to check and analyse them.

STEP 4: ANALYSIS OF THE SAMPLE

On arrival, the test laboratory checks the barcodes in a separate module of CoronIT. They also record the time at which the sample was received and by which laboratory in CoronIT.

The test laboratory then carries out the coronavirus test on the sample. The result of this test can be positive, negative or inconclusive (void). The result is processed in CoronIT by linking it to the unique barcode of the tested sample.

STEP 5: PROVISION OF RESULTS

Per unique barcode in CoronIT, the test laboratory indicates whether the result of the coronavirus test was positive, negative or inconclusive/void. The result is then linked to you via CoronIT and is then passed on to the GGD.

You will then be informed of the test results in one of the following ways: by a doctor, the GGD or a call centre employee, or you will be notified by text message and email that the results are available on the coronatest website. If the test comes back positive, you will be contacted by the GGD. The GGD will also discuss with you what steps must be taken next.

Supplementary use of personal data

Your personal data will also be used for the preparation of anonymised reports to obtain a clear picture of developments with respect to infections. This can include an analysis of total numbers of positive/negative samples per date, laboratory or GGD. Anonymised means that the reports themselves will not contain any personal data.

With your permission, the conversation with the call centre employee will also be recorded for quality assurance purposes.

Your personal data will not be used for purposes other than those described above.

What personal data are used?

We need to collect various personal data from you in order to ensure the COVID-19 test is carried out properly and to be able to communicate the results to the involved parties.

The following is a list of the personal data we will need from you and will use:

First name and surname
Address
Date of birth
Gender
Citizen service number (BSN)
Telephone number (to confirm the appointment and communicate the results)
Email address
Symptom check-list (symptoms and course of illness)
Whereabouts (if you are not staying at your home address)
Test tube barcode
COVID-19 test result
If applicable: name of the requesting doctor
Whether you have been in direct contact with others
Whether you have worked (paid or as a volunteer or trainee) and if so, in which profession.
You must use your DigiD to log on to the coronatest website. This ensures that you can make your appointment securely and that we can verify who made the appointment. We cannot view your DigiD username and password. Access is controlled exclusively by DigiD.

What is the basis for the use of my personal data?

According to the GDPR, the processing of your personal data is only permitted if there is a specific basis (valid reason) for doing so. These bases are mentioned in the GDPR. These are: consent, contract, legal obligation, vital interests, public task/general interest or legitimate interests.

The management of epidemics caused by infectious diseases is a public task/general interest. Under the Wet publieke gezondheid (translated here as Public Health Act), the GGD is required by law to register (record), examine (check out) and follow up on suspected cases of an infectious disease. In addition, the GGD is required to report the results to the National Institute for Public Health and the Environment (RIVM).

The basis for processing the personal data is a legal obligation. This can be found in Section 6, subsection 2 and 4 of the Wet publieke gezondheid (translated here as Public Health Act) and Section 11, subsection 1 of the Besluit publieke gezondheid (translated here as Public Health Decree).

Your conversation with the call centre employee will only be recorded with your approval. You must state whether you grant permission for this before the conversation begins. In this case, your consent forms the basis for processing your personal data (GDPR, Section 6, subsection 1, under a and Section 9, subsection 2, under a).

How long will my personal data be kept?

The statutory retention period for the registration of your personal data is five (5) years. This is based on the Wet publieke gezondheid (translated here as Public Health Act). After this period, your personal data will be destroyed or made anonymous.

If your personal data needs to be kept for any longer, we will request your permission for this, unless we are obliged under other legislation to retain it.

Any conversations you have had with the call centre will be kept for a period of 14 days for quality control purposes and for the handling of complaints. After that, they will be removed. If any incidents (e.g. complaints) are ascertained during this 14-day period, the conversation will be kept until the incident is resolved. Conversations are only recorded if you give your consent for this via the options menu.

How do we protect your personal data?

It is important to us that your personal data is properly protected. We therefore ensure that the parties that process the data on our behalf make agreements with us regarding what they are permitted to do with your data.

We also ensure that the system used is secure and that the security features are tested. In addition, the employees who work with your personal data know what they are and are not permitted to do with the data. They must also keep the personal data secret.

Finally, we put procedures in place and follow the legislation and standards that apply to the use of your personal data in the context of this project.

How can I exercise my rights with regard to privacy?

Under the law, you have various rights when it comes to the processing of your personal data. You can contact your local GGD if you wish to exercise these rights.

You have a right to be duly informed about the use of your personal data
You have a right to obtain access to your personal data and receive a copy of it
You have a right to have incorrect personal data corrected
In some cases, you have a right to have your personal data erased
In some cases, you have a right to object to the use of your personal data

If you have any other questions about the use of your personal data, you can always contact the data protection officer of your local GGD.

Who can I contact if I have any questions or complaints concerning my privacy?

Do you have any complaints about the way in which your personal data has been processed, the way in which a request has been handled or the use of your personal data?

You can initially direct your question or complaint to the Data Protection Officer of the GGD that carried out your test. See the privacy statement of the relevant GGD for this purpose. A list of GGD websites can be found in Appendix 1.

If necessary, a complaint can also be filed with GGD GHOR Nederland. The complaint can be submitted to the GGD GHOR Nederland data protection officer via fg@ggdghor.nl.

If you do not agree with the decision about your complaint or the way in which it was handled, you can submit a complaint about this to the Dutch Data Protection Authority. This can be done via the website: https://autoriteitpersoonsgegevens.nl/nl/voordat-u-een-klacht-indient

Amendments

GGD GHOR will amend this privacy statement if necessary, or if any changes are made to the parties that will receive your personal data or to the type of personal data that is collected about you.

This statement was last amended on 1 July 2020.

Appendix 1: List of GGD websites

Want to know which GGD your municipality falls under? You can find out at www.ggd.nl.